Optimizing Indirect Access in SAP Licensing

Optimizing Indirect Access in SAP Licensing

SAP indirect access occurs when third-party systems or external users utilize SAP data or functions without directly logging into the SAP system.

This often-overlooked aspect of SAP licensing can lead to surprise fees and compliance risks if not managed.

By optimizing indirect access through SAP’s Digital Access licensing model, careful monitoring, and strategic contract negotiation, enterprises can significantly reduce costs and avoid unexpected audit penalties while ensuring compliance.

Indirect Access in SAP

Indirect access refers to scenarios where people or applications interact with an SAP system through a non-SAP intermediary or interface.

For example, if a customer places an order on a web portal that then creates a sales order in SAP, or if a Salesforce CRM updates data in SAP, those are indirect uses of SAP.

The user or device isn’t logging in to SAP, but SAP’s data and business processes are still being consumed.

Why it matters:

SAP traditionally required a named user license for each individual or system that accessed SAP directly or indirectly.

This was often unclear and hard to enforce – companies might unknowingly accumulate dozens or thousands of external users and IoT devices using SAP data without proper licenses.

In an audit, SAP can identify these access points through technical logs and integration accounts, potentially resulting in hefty back-license fees.

As businesses connect SAP to e-commerce sites, supplier portals, mobile apps, and smart devices, indirect access has become a critical compliance concern. Failing to address it is like leaving a ticking time bomb in your SAP contract.

Read Identifying Unused SAP Licenses.

Traditional vs. Digital Access Licensing Models

SAP offers two licensing approaches for indirect use: the traditional named-user model and the newer Digital Access (document-based) model.

The traditional approach treats every indirect user or device like a direct user – each requires an appropriate SAP user license (e.g., a costly “Professional” user license).

This approach becomes impractical for high-volume external use (you wouldn’t buy 10,000 licenses for 10,000 occasional customer users, for instance).

Digital Access flips the model by licensing the outcomes of indirect usage, rather than the users. SAP identified nine document types (such as Sales Orders, Invoices, Purchase Orders, Material documents, etc.) that are commonly created via external interactions.

Under Digital Access, if an external system triggers the creation of one of these documents in SAP, you license the document creation (usually in aggregate counts), rather than licensing the external user directly.

Reading SAP data in a static way (e.g., exporting data to a data warehouse) generally does not incur a charge; it’s the creation of new business documents in SAP via external systems that counts.

Comparison of Named-User vs. Document Licensing:

In practice, many enterprises employ a hybrid approach: internal employees and a select group of partners are assigned named-user licenses, while high-volume external interactions (such as customer orders, supplier updates, and API calls) are covered by Digital Access documents.

This prevents double payment – a properly licensed internal user can access SAP via any interface without incurring extra costs, and only purely external activities consume document licenses.

Read How to Right-Size SAP Licenses.

Hidden Costs and Risks of Unmanaged Indirect Access

Ignoring indirect access is risky. There have been high-profile cases where companies faced massive bills due to unlicensed indirect use.

In one famous case, a global beverage company was found to owe approximately £54 million after a court ruled that thousands of sales representatives and customers accessing SAP through a third-party CRM (Salesforce) were not properly licensed.

Around the same time, SAP pursued another large manufacturer for over $600 million in indirect usage fees related to system integrations, leading to a confidential settlement.

These events sent a clear message: even if external users never log into SAP directly, their indirect usage can carry real license obligations.

Consider a simple example: an online storefront connected to SAP for order processing.

If 10,000 customers place orders via that portal, under traditional licensing, SAP could argue that each of those customers needs a named user license (at, say, $1,000–$3,000 each), which could result in millions in additional costs.

No business would preemptively purchase 10,000 SAP logins for occasional customers, so this scenario typically remains unlicensed until an audit.

By contrast, under the Digital Access model, those 10,000 orders would count as 10,000 documents.

If Digital Access licenses are sold in packs (for example, in blocks of 1,000 documents), you might only need to license 10 blocks.

Even if a block of 1,000 documents were hypothetically priced around $1,000 (list price before any discount), those 10,000 external orders could cost on the order of $10,000 – far less than millions in user licenses.

This illustrates how optimizing the licensing model can sharply reduce exposure for high-volume scenarios. It also highlights a trade-off: you must carefully track and forecast those document counts.

If you underestimate and exceed your purchased volume, you’ll need to buy more licenses (ideally at pre-negotiated rates to avoid surprises).

The key point is that unmanaged indirect access can become a costly surprise. Companies that fail to address it may get hit with a true-up bill after an SAP audit.

To avoid this, organizations need to proactively understand and optimize the licensing of indirect access.

Identifying and Measuring Indirect Usage

Before you can optimize, you need visibility into where indirect access is happening.

Enterprises should take a systematic approach to discover and measure all indirect usage:

1. Inventory All Integrations: Compile a comprehensive list of every third-party system, interface, or application that connects to your SAP environment. Include APIs, middleware, portals, mobile apps, EDI connections, IoT sensors, and even departmental databases or bots. Document what each integration does – e.g., does it read data from SAP, write data to SAP, or create any documents (orders, invoices) in SAP? This “integration register” is fundamental. Many organizations are surprised to discover forgotten or shadow IT interfaces that access SAP data.
2. Use SAP’s Audit Tools: Leverage SAP’s own license measurement tools to detect indirect usage. The SAP License Audit Workbench (LAW) can aggregate user metrics, and SAP has provided a Digital Access Evaluation Service (and earlier, an Indirect Access estimation tool) to help estimate document creation counts. Newer SAP systems support SAP Passport tokens to tag and trace external calls creating documents. Run these tools to gather data on the number of documents external systems are creating and which accounts are being used for integrations.
3. Leverage Third-Party Monitoring: Consider specialized Software Asset Management (SAM) solutions (from vendors like Flexera, Snow, VOQUZ, etc.) that can scan your SAP environment and connected systems to identify indirect usage patterns. These tools often provide dashboards for document counts and can flag potential indirect access that SAP’s native tools might miss.
4. Analyze Logs and Usage Patterns: In addition to official tools, review system logs, interface user IDs, and batch job records to gain a deeper understanding of usage patterns. Identify which external-facing user accounts (often technical accounts) are pulling or pushing data to SAP. This can reveal, for example, that a “SERVICE_USER” account created 50,000 entries last quarter – a sign of heavy indirect activity.
5. Establish a Baseline & Monitor Regularly: Once you’ve identified where and how often indirect access occurs, establish a baseline (e.g., “external systems create ~20,000 sales order documents per month”). Monitor this on a regular cycle (monthly or quarterly reviews). Ongoing monitoring will help you identify any spikes or new integrations early, rather than waiting until the next audit. It’s much easier to address a licensing need in advance than under the pressure of an audit.

By thoroughly measuring indirect use, you build the factual foundation needed to optimize and negotiate your SAP licenses effectively.

Optimizing Indirect Access Usage and Architecture

With insight into your indirect usage, the next step is to optimize the interaction between external systems and SAP.

Both technical and architectural adjustments can reduce licensing costs:

• Optimize Current License Assignments: Begin by reviewing and updating your existing SAP user licenses. Make sure all your named users are correctly classified (no expensive license types assigned to users who don’t need that level). Reclaim unused or inactive accounts – this can free up licenses that might cover some external users legitimately. Also, check if any external people already have an internal user license (if so, their activity may already be covered). Right-sizing your named user license portfolio ensures you’re not over-counting or over-paying before considering additional licenses.
• Leverage “Read-Only” Data Repositories: Whenever possible, avoid direct real-time queries into SAP from external systems. If a third-party app only requires SAP data for reporting or infrequent lookups, provide it via a replicated database, data warehouse, or periodic data export. Static read access (viewing SAP data that’s been exported and is no longer hitting the live SAP system) generally does not incur SAP license fees. For example, if you sync SAP data to a cloud data lake and let external apps or users query it there, that can bypass indirect usage charges. Be sure to document such scenarios in your SAP contract as allowed use.
• Reduce Interface Call Frequency: Design integrations to be efficient. Instead of an external system making frequent small calls to SAP (each potentially creating documents or transactions), use batching and caching. For instance, accumulate transactions and send them in a batch or use middleware to queue and consolidate requests. Fewer calls can result in fewer documents and a lower licensing impact. This architectural approach not only reduces the load on SAP but also limits the “meter” running on Digital Access licenses.
• Consolidate Integration Points: Whenever feasible, funnel external interactions through a controlled middleware or API management layer (such as SAP Process Orchestration or SAP Integration Suite). By having a single gateway, you can better monitor and govern the external processes that interact with SAP. It’s easier to apply rules like “no write operations except through approved APIs” or to implement user authentication mapping that might tie to named users where possible. A well-architected integration landscape minimizes accidental indirect use.
• Prioritize High-Volume Flows for Digital Access: Use the data from your measurements to identify which processes create the most SAP documents. These high-volume flows (e.g., customer online orders, EDI transactions from partners, IoT sensor updates) are strong candidates for the Digital Access document model. By licensing those document types, you cover a potentially unlimited number of external users or devices that generate them. Meanwhile, for very low-volume or edge-case interfaces, it may be more cost-effective to cover those few users with existing named licenses or a small add-on agreement. The goal is to apply the right licensing model to each scenario – documents for large-scale operations, and named users for smaller-scale operations – to optimize costs.
• Continuous Usage Governance: Make indirect access optimization an ongoing IT governance concern. Every new integration project requires a review of the SAP licensing impact. Architects and developers should ask: “Will this create SAP documents? Does it use an existing licensed account? Is there a way to do this read-only or outside of SAP if licensing would be expensive?” By building awareness, you prevent unintentionally expensive integration designs. Some companies have an internal approval process before deploying any new interface to SAP, ensuring compliance is checked upfront.

Negotiating SAP Indirect Access in Contracts

Technical measures need to be paired with savvy contract negotiation to fully optimize indirect access costs.

SAP’s license policies are ultimately defined in your contract, so use your leverage to get favorable terms:

• Engage SAP Proactively: Don’t wait for an audit to address indirect access. If you identify a potential compliance gap or are considering moving to the Digital Access model, reach out to your SAP account executive early. Customers who proactively come to SAP to discuss indirect usage often secure better discounts or incentive deals (for example, SAP has in the past offered Digital Access Adoption Program incentives of up to 90% discounts or conversions of existing shelf licenses to document licenses). Use timing to your advantage – SAP may be more flexible when you’re negotiating a larger agreement (like a S/4HANA migration, a RISE subscription, or an ELA renewal) to sweeten the deal.
• Define Indirect Usage Clearly: Insist on clear definitions in your contract of what constitutes indirect use and what is exempt. For instance, explicitly state that certain scenarios (such as read-only data exports, backups, or non-production interfaces) are excluded from license counts. If you use third-party reporting tools or interfaces that only query data, ensure the contract specifies that these are not considered “use” requiring a license. Clarity here can prevent disputes later – both parties know what’s allowed.
• Negotiate Cost Protections: If you adopt Digital Access, negotiate mechanisms to control costs as usage grows. This could include a volume tier with predictable pricing (e.g., you pay a set fee for up to X documents per year, with a pre-agreed rate for additional blocks if needed) or a cap on the amount you’d pay for indirect use in a year. Some customers negotiate the right to true-up at a discount if they exceed their estimates, rather than paying the full list price under audit. The goal is to avoid open-ended financial exposure.
• Seek Bundled Deals: Ask SAP if they can bundle a certain amount of Digital Access document licenses at no extra charge as part of a larger purchase. For example, if you’re buying a new SAP module or cloud service, see if you can include a block of digital access in the package. This effectively reduces the cost and recognizes that indirect use is integral to modern SAP deployments.
• Address Future Growth: Try to lock in future pricing for additional indirect usage. If you suspect your document count will grow (for example, if you plan to double e-commerce transactions in three years), negotiate today what the price for additional documents will be. Perhaps you secure an option to buy extra document packs at a fixed discount or maintain the same per-unit rate even as you scale up. This prevents sticker shock later.
• Consider RISE or Cloud Licensing: If you are migrating to RISE with SAP (the subscription cloud bundle), understand how indirect access is handled in this context. RISE contracts often simplify licensing and may include a level of indirect usage in the subscription metrics (for example, using a metric called Full Usage Equivalents). Do not assume it’s unlimited – always confirm in writing what indirect usage is covered in any cloud or subscription deal. If it’s not clear, negotiate it explicitly into the contract to avoid ambiguity.
• Document Everything: Ensure any special terms, exemptions, or understandings with SAP are written into the contract or addendum. Verbal assurances (e.g. “we typically don’t charge for scenario X”) mean little in an audit years later unless they’re in your signed agreement. A well-negotiated contract should act as your safety net, clearly setting the rules for indirect access charges.

By approaching SAP licensing discussions with a plan and hard data (from your usage analysis), you can often turn indirect access from a liability into a manageable, budgeted line item.

The result should be predictable costs and no surprises when SAP’s auditors come knocking.

Recommendations

• Map Your Interfaces: Immediately create an inventory of all external systems and users interfacing with SAP. Complete visibility is the first step to controlling indirect access.
• Clean Up Licensing: Optimize Your Existing SAP Named-User Licenses. Remove or reassign dormant accounts and ensure users have the correct license type. This avoids paying for needless licenses and might cover some external usage already.
• Measure Document Usage: Use SAP’s tools (LAW, DAES) or third-party software to quantify how many documents external systems create in SAP. Establish a baseline for your indirect document volume and track it over time.
• Compare Cost Scenarios: Analyze the cost of staying on named-user licensing versus switching to Digital Access. Model best-case and worst-case scenarios (e.g., include potential growth in external transactions) to determine which model (or mix of models) is most cost-effective for your situation.
• Engage SAP with Data: If the analysis leans toward Digital Access or reveals a compliance gap, engage SAP early. Present your findings and negotiate from a position of knowledge. Early engagement can lead to better discounts or the inclusion of indirect usage rights in a broader deal (like an S/4HANA migration agreement).
• Negotiate Safety Nets: Don’t sign any contract update without adding protections. Define what “indirect use” does NOT include (e.g,. read-only scenarios), negotiate a cap or fixed pricing for high-volume usage, and secure discounted pricing for future growth to avoid runaway costs.
• Implement Monitoring: Establish regular monitoring and reporting procedures for indirect access. For example, review a quarterly report of external document counts and interface logs. This helps catch any surge in usage or new interfaces before they become compliance problems.
• Educate Stakeholders: Train your IT architects, integration teams, and procurement staff about indirect access rules. Make it standard practice to evaluate license impact whenever a new integration with SAP is proposed. By building awareness, your team will design solutions with compliance in mind (preventing costly mistakes like deploying an unlicensed third-party app connected to SAP).
• Plan for the Future: Factor indirect access into your future roadmap. If you’re planning to upgrade to S/4HANA or transition to cloud subscriptions, use this opportunity to renegotiate and right-size your licensing. Stay updated on SAP’s licensing policy changes beyond 2025, and revisit your indirect access strategy regularly as your business and systems evolve.

FAQ

Q1: What exactly is “indirect access” in SAP licensing?
A: Indirect access occurs when SAP is used by someone or something without a direct login to SAP. This could be a third-party application, a website, or a device that retrieves data from or submits transactions to SAP. It’s important because SAP requires licenses for this usage, even though these users and devices aren’t traditional SAP login users. Unchecked indirect access can lead to compliance issues if those uses aren’t properly licensed.

Q2: How does SAP’s Digital Access (document) license differ from a traditional user license?
A: A traditional SAP license is tied to a named user – you pay for each user (human or technical) that accesses SAP. Digital Access, on the other hand, is usage-based: you pay based on the number of specific documents created in SAP by external (indirect) systems. In short, user-based licensing charges per user, while Digital Access charges per transaction or document. This document-based model can be more transparent for high-volume scenarios, as it avoids the need to count every user or device.

Q3: Do we have to switch to Digital Access, or can we stick with the old model?
A: You are not forced to switch if your current licensing works for you, especially for existing contracts. Many existing SAP customers continue with named-user licensing for now. However, SAP strongly promotes the Digital Access model for new contracts (for example, S/4HANA or RISE deals often come with it by default). It’s wise to evaluate both options. Some organizations find they save money with Digital Access, while others with very limited external use might stick to named users. You can also adopt a hybrid approach. The key is to crunch the numbers for your specific use case and negotiate accordingly, rather than blindly accepting a single model.

Q4: How can we detect and quantify our indirect usage to know if we’re compliant?
A: Start by auditing all the integrations to your SAP system (middleware, third-party apps, APIs, etc.) to see where data is flowing in or out. Use SAP’s license audit tools like LAW and the Digital Access evaluation reports to count any documents created indirectly. SAP can provide an Indirect Usage report if requested. Additionally, consider tools from SAM providers that specialize in SAP license analytics – they can help identify where indirect access is occurring. By combining technical logs, SAP reports, and third-party analysis, you can estimate how many external users or documents are involved. This will show if there’s a licensing shortfall (e.g., thousands of documents being created without corresponding licenses).

Q5: What should we do if an SAP audit finds unlicensed indirect access?
A: If SAP audits you and discovers indirect usage that isn’t licensed, they will likely issue a compliance notice requiring you to purchase the necessary licenses – often at list price and sometimes with back-dated maintenance fees. This can be very expensive (as some companies learned the hard way). If you find yourself in that situation, it’s critical to engage in negotiation: you may seek to reduce the scope of what’s considered indirect use, negotiate a settlement or a transition to Digital Access with better terms, etc. Ideally, don’t wait for an audit – conduct an internal review beforehand and address any gaps on your own terms. If you’re proactive, you can negotiate with SAP with more flexibility (possibly securing discounts or package deals) rather than paying a surprise bill under audit pressure.